Spring Cloud Config and Function Receive Urgent Security Patches
On May 8, 2026, the Spring security team published patches addressing four CVEs across Spring Cloud Config and one in Spring Cloud Function. Teams using these components in production should treat these upgrades as high-priority.
Spring Cloud Config is the most severely affected component, with three distinct vulnerabilities patched simultaneously:
- CVE-2026-22739 (Profile Substitution / SSRF): When Spring Cloud Config Server uses a native file system backend, substituting a crafted
profileparameter into the configuration request allowed path traversal — accessing files outside the configured search directories. For repository-backed configurations, the same substitution could reach the URL pointing to the source control repository, enabling Server-Side Request Forgery (SSRF) attacks. - CVE-2026-41002 (TOCTOU on Git Clone Directory): The base directory that Config Server uses to clone Git repositories is susceptible to a time-of-check-time-of-use race condition. An attacker with local access to the cloning environment could manipulate the directory between the security check and the actual file operation.
- CVE-2026-41004 (Sensitive Information in Logs): When trace logging is enabled, Spring Cloud Config Server placed sensitive configuration values in plaintext log output. Organizations shipping logs to centralized observability platforms were inadvertently exposing secrets.
Spring Cloud Function is affected by a denial-of-service condition where an OOM error can be triggered by adding an unbounded number of functions to the Function Registry. This affects versions 3.2.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x.
All CVEs are addressed in the May 8 releases of Spring Cloud Function and Spring Cloud Config. Check spring.io/security for the specific fixed versions applicable to your deployment and review whether trace logging for Config Server is enabled in any environment.
Read more — Spring Blog
Spring AI 1.0.7 and 1.1.6 Maintenance Releases Available
Alongside the milestone 2.0.0-M6 release, the Spring AI team published maintenance updates to both active stable lines on May 8, 2026.
Spring AI 1.0.7 and Spring AI 1.1.6 are patch releases targeting teams that have not yet migrated to the 2.0 line. These releases carry bug fixes and dependency updates but do not introduce new features, following the Spring maintenance release policy. Production deployments running Spring AI 1.0.x or 1.1.x should apply these patches as part of routine maintenance.
For teams evaluating the 2.0 milestone line, the concurrently released 2.0.0-M6 added a buildRequestPrompt() method to the ChatModel interface, which standardises how chat prompts are assembled from model options before dispatch, and redefined EncodingFormat as an enum type for improved type safety when specifying embedding output formats.
The stable 1.x line remains the recommended choice for production workloads until Spring AI 2.0 GA, which the team has not yet scheduled. The 2.0 API has seen substantial changes across each milestone, suggesting that the API stabilisation period is still ongoing.
Read more — Spring Blog
Spring May Release Train Postponed to June 1–5
In a brief post on May 11, the Spring team announced that the May release train — originally scheduled to ship between May 11 and May 22 — has been pushed back to June 1–5, 2026.
The delay affects all OSS versions in the train, including patch releases across existing minor lines and the anticipated Spring Boot 4.1.0 general availability. Spring Boot 4.1 has been progressing through RC1 (released April 23) and was expected to finalize in May before this rescheduling. The team cited the need for additional time to incorporate new minor versions and ensure quality across the release cohort.
For teams planning dependency upgrades around the original May window, the new target is the first week of June. The official Spring release calendar at calendar.spring.io will be updated to reflect the revised dates. Spring Boot 4.1 will bring first-class OTLP SDK exporter environment variable support, LazyConnectionDataSourceProxy auto-configuration for improved transaction management, and AMQP 1.0 specification support with AmqpConnectionFactory auto-configuration.
Read more — Spring Blog
